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Abstract. In this paper we give an overview of some of the cryptographic applications which were 
derived from the proposal of R. J. McEliece to use error correcting codes for cryptographic purposes. 
Code based cryptography is an interesting alternative to number theoretic cryptography. Many basic 
cryptographic functions like encryption, signing, hashing, etc. can be realized using code theoretic 
concepts. 

In this paper we briefly show how to correct errors in transmitted data by employing Goppa codes 
and describe possible applications to public key cryptography. 

The main focus of this paper is to provide detailed insight into the state of art of cryptanalysis of 
the McEliece cryptosystem and the effect on different cryptographic applications. We conclude, that 
for code based cryptography a public key of 88KB offers sufficient security for encryption, while we 
need a public key of at least 597KB for secure signing. 
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1 Introduction 


In this paper we want to give an overview over the McEliece cryptosystem and the 
primitives it is based on. First, we give some introduction into coding theory and the 
construction principle of the cryptosystem. In the second section, we present Goppa 
codes, which at the moment seem to be the best choice for cryptographic applica- 
tions. In the sections three to five we present known attacks on the McEliece PKC and 
consequences for the choice of system parameters. Afterwards we will present CCA2- 
secure conversions and show how to build other cryptographic protocols from the basic 
scheme. Finally we will discuss performance and secure choices of parameters for the 
McEliece PKC. 


1.1 History 


In 1978 R. McEliece proposed the first public key cryptosystem which is based on 
coding theory. McEliece’s proposal to use Goppa codes for cryptographic applications 
is one of the oldest public key cryptosystems and remains unbroken for appropriate 
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system parameters. In 1986, Niederreiter proposed a different scheme which uses 
GRS codes. This proposal is equivalent (dual) to McEliece’s proposal if we substi- 
tute the GRS codes by Goppa codes [33]. Sidelnikov and Shestakov showed in 1992 
that Niederreiter’s proposal to use GRS codes is insecure. 

Several proposals were made to modify McEliece’s original scheme (see e.g. [18], 
[17], [19], [47] and [26]). Most of them replace the Goppa codes with other codes. 
However, most of them turned out to be insecure or inefficient compared to McEliece’s 
original proposal (see e.g. [39] or [28]). 

The most important variants of McEliece’s scheme are the ones proposed by Ko- 
bara and Imai in 2001. These variants are CCA2-secure and provably as secure as the 
original scheme [27]. 

Parallel to the efforts to build an efficient encryption scheme based on coding the- 
ory, there were several attempts to build other cryptographic protocols based on error 
correcting codes. Most efforts to build a signature scheme failed (compare [52], [23], 
[3] and [51]), until finally in 2001 Courtois, Finiasz and Sendrier made a promising 
proposal [12]. In addition, there exists an identification scheme by Stern [50], which is 
based on coding theory. 

There are also attempts to build fast hash functions and random number genera- 
tors using the principles of coding theory (see e.g. [4], [14]). All in all, this provides 
sufficient motivation to have a closer look at the McEliece cryptosystem as a serious 
alternative to the established PKCs based on number theory. 


1.2 Coding theory and problems 


The security of the cryptosystems reviewed in this paper is based on the difficulty of 
some classical problems of coding theory. Here we give an introduction into the topic 
of coding theory. 


Definition 1.1. An (n, k)-code C over a finite field F is a k-dimensional subvectorspace 
of the vector space F”. We call C an (n,k,d)-code if the minimum distance is d = 
min, yec dist (x,y), where “dist” denotes a distance function, e.g. Hamming distance. 
The distance of x € F” to the null-vector wt (x) := dist (0, x) is called weight of x. 


Definition 1.2. The matrix C € F**” is a generator matrix for the (n, k) code C over 
F, if the rows of C span C over F. The matrix H € F("—*)*” is called check matrix for 
the code C if H! is the right kernel of C. The code generated by H is called dual code 
of C and denoted by C+. 


With these definitions, we are able to define some basic problems of coding theory. 
Here the distance function used will be the Hamming distance, although there exist 
other notions of distance. 


Definition 1.3. The general decoding problem for linear codes is defined as follows: 
e Let C be an (n, k) linear code over F and y € F”. 
e Find x €C where dist (y, x) is minimal. 
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Let e be a vector of weight < t := [5+ | and x € C. Then there is a unique solution 
to the general decoding problem for y = x + e. The code C is said to be a t-error 


correcting code. 


Definition 1.4. The problem of finding weights (SUBSPACE WEIGHTS) of a linear 
code is defined as follows: 


e Let C be an (n, k) linear code over F and w € N = {1,2,3,...}. 
e Find x € C satisfying dist (0,x) = w. 


Our hope that we might be able to construct secure cryptosystems based on the 
problems above is based on the following result. 


Theorem 1.5. The general decoding problem and the problem of finding weights are 
NP-hard. 


Proof. See [5]. oO 
We present another problem based on the equivalence of codes: 


Definition 1.6. Two (n, k) codes C and C’ over a field F are called permutation equiv- 
alent if there exists a permutation 7 of the permutation group Sn over n elements such 
that 

C= m (C) = { (27-11) sai ii) [x = c} 5 


The subgroup of Sn which keeps C fixed will be called Aut (C). 


Given two generator matrices G and G’ the problem is to decide if the codes gener- 
ated by the matrices are permutation equivalent or not. In the case where F = F; the 
definition of permutation equivalency coincides with the definition of equivalency. 


Definition 1.7. Two (n,k) codes C and C’ over F are called equivalent if there exists 
T € Sn, an-tuple (a;) I<i<n = F and a field automorphism ¢ of F such that 


/ 


xECS (¢ (an=) Eri) iicn EC. 


In Section 3.3, we will see an algorithm which solves the problem to decide whether 
two codes are permutation equivalent or not. 

Throughout this paper, we will use the following notation. We write G = (G) if 
the linear (n, k)-code G over F has the generator matrix G. We can write x € G as 
(@1,...,%,) E€ F”. For any (ordered) subset {j1,..., jm} = JC {1,...,n} we denote 
the vector (a;,,...,2;,,) E F” with xz. Similarly we denote by M.; the submatrix 
of a k x n matrix M consisting of the columns corresponding to the indices of J and 
My. = (M') for any (ordered) subset J’ of {1,..., k}. 


1.3 McEliece PKC 


This cryptosystem was proposed by McEliece [37] and is the first which uses error 
correcting codes as a trapdoor. It remains unbroken in its original version. Although 
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it uses Goppa codes (see Section 2) in the original description, any subclass of the 
class of alternant codes could be used. However, it might not reach the desired security 
(compare Section 3.2 or e.g. [39]). The trapdoor for the McEliece cryptosystem is 
the knowledge of an efficient error correcting algorithm (which is available for Goppa 
codes). 

We briefly describe the cryptosystem: 
e System Parameters: n,t € N, where t & n. 
e Key Generation: Given the parameters n, t generate the following matrices: 


G': k x n generator matrix of a binary (n, k) code G with minimum dis- 
tance d > 2t + 1. (This will be a Goppa code in the following.) 


S: kx k random binary non-singular matrix 
P: mx n random permutation matrix 


Then, compute the k x n matrix G = SG’P. 
e Public Key: (G, ¢) 
e Private Key: (S, Dg, P), where Dg is an efficient decoding algorithm for G. 


e Encryption: To encrypt a plaintext m € {0, 1} choose a vector z € {0,1}" of 
weight t randomly and compute the ciphertext c as follows: 


c=mG@z. 
e Decryption: To decrypt a ciphertext c calculate 
cP! = (mS) G’@ zP~! 


first, and apply the decoding algorithm Dg for G to it. Since cP~! has a Hamming 
distance of t to G we obtain the codeword 


mSG’ = Dg (cP7!) ; 
Let J C {1,...,n} be a set such that G. y is invertible. Then we can compute the 
plaintext m = (mSG’) , (G’,) 7! 97t. 


There are some restrictions to the choice of the McEliece system parameters given 
by the attacks, if we want to get optimal security. We are going to discuss them later 
on. 


Definition 1.8. The McEliece problem is described as follows: 


e Given a McEliece public key (G,t) where G € {0, 1}**" and a ciphertext c € 
{0,1}", 
- Find the (unique) message m € {0,1}" s.t. dist (mG, c) = t. 


It is easy to see that someone who is able to solve the general decoding problem is 
able to solve the McEliece problem. The reverse is presumably not true, as the code 


A Summary of McEliece-Type Cryptosystems and their Security 155 


G = (G) is not a random one, but permutation equivalent to a code of a known class (a 
Goppa code in our definition). We can not assume that the McEliece-Problem is MNP- 
hard. Solving the McEliece-Problem would only solve the General Decoding Problem 
in a certain class of codes and not for all codes. 

In the case of McEliece’s original proposal, Canteaut and Chabaud state the fol- 
lowing: “The row scrambler S has no cryptographic function; it only assures for 
McEliece’s system that the public matrix is not systematic otherwise most of the bits of 
the plaintext would be revealed” [8]. However, for some variants of McEliece’s PKC, 
this statement is not true, as e.g. in the case of the CCA2-secure variants (which we 
are going to present in Section 6). The importance of P is not that easy to see. We will 
come back to this question in Section 3. 


1.4 Niederreiter PKC 


The Niederreiter PKC is a knapsack-type cryptosystem which uses an (n, k)-linear 
code which can correct up to ¢ errors and for which an efficient decoding algorithm is 
known. We describe the cryptosystem briefly: 

e System Parameters: n, t € N, where t < n. 

e Key Generation: Given the parameters n, t generate the following matrices: 


H: (n — k) x n check matrix of a binary code G which can correct up to 
t errors 


M: (n-— k) x (n -— k) random binary non-singular matrix 
P: mx n random permutation matrix 


Then, compute the n x (n — k) matrix H’ = MHP. 

e Public Key: (H’, ¢) 

e Private Key: (P,Dg,M), where Dg is an efficient syndrome decoding algorithm 
for G. 


e Encryption: A message m is represented as a vector e € {0, 1}” of weight t, called 
plaintext. To encrypt it, we compute the syndrome 


s= He". 
e Decryption: To decrypt a ciphertext s calculate 
M~'s = HPe' 


first, and apply the syndrome decoding algorithm Dg for G to it in order to recover 
Pe!'. Now, we can obtain the plaintext e! = P~'Pe!. 


The security of the Niederreiter PKC and the McEliece PKC are equivalent. An 
attacker who can break one is able to break the other and vice versa [33]. 
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2 Goppa codes 
Goppa codes considered in this paper are only binary, irreducible. The following rea- 
sons make them interesting for cryptography: 


e The lower bound for the minimum distance is easy to compute. 


e The knowledge of the generating polynomial (see below) allows efficient error cor- 
rection. 


e Without the knowledge of the generating polynomial, no efficient algorithms for 
error correction are known. 


For a comprehensive introduction to Goppa codes see [36, 34, 24]. 


2.1 Definition 


In this section, we will first define Goppa codes. Based on this definition, we will 
describe a way to construct a generator and a parity check matrix for Goppa codes. 
Goppa codes were defined by V. D. Goppa in 1970 [22]. 


Definition 2.1 (Goppa polynomial, Syndrome, binary Goppa Codes). Let m and t be 


positive integers and let 
t 


G(X) = 2 ax’ € Fom [X] 


be a monic polynomial of degree t called Goppa polynomial and 
L = (J0; - - <, Yn—1) € Fam 
a tuple of n distinct elements such that 
gly) #0, forallO<i<n. 


For any vector c = (co, . . . ,Cn—1) € F}, define the syndrome of c by 


Se(X) = 2 an ee — oe mod g(X). (2.1) 


The binary Goppa code G(L, g(X)) over F; is the set of all c = (co,...,€n—1) € FY 
such that the identity 


S.(X) =0 (2.2) 
holds in the polynomial ring Fy |X] or equivalently if 


n-1 


S(X) = 5 3 
i=0 


c 


= =0 mod g(X). (2.3) 
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Thus, we have 


G(L, g(X)) = {e € FY | Se(X) = 0} 
= {ce F? | S.(X) =0 


If g(X) is irreducible over Fym, then G(L, g(X)) is called an irreducible binary 


Goppa code. 


Remark 2.2. To emphasize the dependency of vector c on sequence L, we sometimes 
write € = (c,,,...,Cy,_,). The elements %0, . . . , Yn-1 € Fzm are called code support. 


Goppa codes are linear codes. If g(X) is irreducible, we have g(y) # 0 for all 
y € Fom. Thus tuple L from the definition may contain all elements of Fm. Now we 
will show how to construct the parity check matrix of a Goppa code G(L, g(X)). Since 


IX) -gl 
X-i = D9 


i j t—1 t 

Y ~ `~ 
Yow AKR or 
j=0 Ni s=0 j=s+1 


we see that c € G(L, g(X)) iff for all s = 0,...,t— 1 
n—-1 
520 gloi) 


j=s+1 


Thus, a parity check matrix of G (L, g(X)) can be written as 


j—l-s 


t 
5 2 Soe | c= 0. 


for allO<i<n, 


geglo)! 9:9(%n—-1) | 
(ge-1 + gyo)! > (gei + 94-1) 9(Yn-1) 7" 
H= . i . = XYZ 
t l a4 ee t aa 1 
2-19% ) g0) j1 Ini) 9(%m-1) 
where 
ge 0) 8 0 i ad 1 
g-1 w O 0 Yo yı Yn-1 
Mea am ae = "|, and 
glo 92 93 H an We ai 
1 
g(x) 
1 
Z= gl) 


g(Yn=1) 
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and therefore we have 
cE G(L,g(X)) iff He =0. (2.4) 


The entries of the matrix H are elements of the extension field Fom over F2. If we 
interpret Fym as m dimensional vector space over F2, we can write H as a matrix over 
F- of dimension mt x n. 

The rows of matrix H generate a vector space V which is a subspace of F}. From 
(2.4) it follows that the Goppa code is a vector space which is dual to V. Therefore 
we obtain a generator matrix G of a Goppa code by computing the basis of the vector 
space dual to V. The rows of G are these basis vectors. 

Since H is a mt x n matrix, the matrix G has dimension n x k, with k > n — mt. 
Thus, it defines a (n, k) Goppa code, where k > n — mt. 


2.2 The minimum distance of irreducible binary Goppa codes 


In this section, we will determine the minimum distance of an irreducible binary Goppa 
code. 
Let G(L, g(X)) be an irreducible binary Goppa code with L = (y,...,%n—1). Let 
c = (c0,.-.,€n—1) E€ G(L, g(X)) be a codeword and Te = {i : c; = 1}. Then we 
define 
oe(X) = [] (X — 7) € Fon [X]. 
JETe 


The derivative of o¢(X) is 


o(X)= >) J] (x-1). 


t€Te jETe\ {i} 
From (2.3) it follows 
Oc(X)Se(X) = o0(X) mod g(X). (2.5) 


Since g(7;) # 0 for all 0 < i < n, we have gcd(o¢(X), g(X)) = 1. Therefore, oce( X) 
is invertible modulo g(X) and we have 


S-(X) mod g(X). 
It follows that 
Vee FS: cE G(L,g(X)) eo((X)=0 mod g(X). 


The map Fam —> Fam, £ b> x? is the Frobenius automorphism on Fy, therefore every 
element y € Fam has a unique square root. 
The Frobenius map 


Fom [X] — Fam [X], (X) = XO Gaya Dx 
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is an injective, but not surjective, ring homomorphism. Its image is Fam |X?], a set of 
polynomials, which are perfect squares of the ring Fy |X]. 
The polynomial o/,(X) = >>}, io; X*~! is a perfect square, because in Fm we have 
io; X‘~! = 0 for each even i. Since g(X) is irreducible, we have 
Vee FF: cEG(L,g(X)) 60.(X)=0 mod (g(X))’. 
Thus, for any codeword c € G(L, g(X))\{0} we have 


wt(c) = dego,(X) > 1+ degoh(X) > 2deg g(X) +1. 


2.3 Error correction for irreducible binary Goppa codes 


As mentioned above, the minimum distance of a Goppa code G which is generated by 
an irreducible polynomial of degree t is at least 2t + 1. Therefore, it is always possible 
to correct up to t errors. We now will describe such an error correction algorithm which 
corrects up to t errors in the case of irreducible binary Goppa code G(L,g(X)). The 
error correction of non-binary or non-irreducible Goppa codes is slightly different and 
can be found in [36, 24]. 

Assume m € G(L, g(X)) is a codeword, e € F} with wt(e) < tis an error vector, 
and 

c=m@e. 


Given c, we want to compute e and m. 
Note that since m is a codeword, we have Sm( X) =0 mod g(X) and therefore 


Se(X) = Se(X) mod g(X). 


First, we define the error locator polynomial o-(X). For Te = {i : e; = 1}, we set 


oe(X) = | [(X - 7) € Fam [X]. 
j€Te 


From (2.3), it follows 
oe(X)Se(X) = o4(X) mod g(X). (2.6) 
We split ce( X) in squares and non-squares. Then we have 
de(X) = a7(X) + XFX). 


Since the characteristic of the field is 2, we have o} (X) = 8? (X). Thus equation (2.6) 
can be rewritten as follows 


B?(X)(XSe(X) + 1) = a?(X)Se(X) mod g(X). (2.7) 


We can assume that e is not a codeword, thus Se(X) # 0 mod g(X). Therefore, 
there exists an inverse of S.(X) modulo g(X). We set T(X) = Sz! (X), and multiply 
equation (2.7) by T(X). Then we obtain 


B?(X)\(X +T(X)) =a°(X) mod g(X). (2.8) 
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As mentioned in the last section, each element of Fm: has a unique square root. So 
let r(X) € Fom[X] be the unique square root of the polynomial T(X) + X, i.e. 
T(X)r(X) = T(X) + X mod g(X). Taking the square root of equation (2.8) we 
obtain 


B(X)r(X) = a(X) mod g(X). (2.9) 


In order to solve the last equation for known 7(X) and g(X), we have to determine 
a(X) and G(X) of least degree. By assumption we have deg(ae(X)) < t. It follows 
that deg(a(X)) < |t/2] and deg(3(X)) < |(t—1)/2]. This yields a unique solution of 
equation (2.9) which can be found by applying the extended Euclidean algorithm. We 
recall that this algorithm may be used to compute polynomials a; (X)+(;(X)Th(X) = 
0 mod g(X) in each step with deg(3,(X)) = deg(g(X)) — deg(ax_1(X)). This last 
formula presents the relation between the degrees of a and 8. After each step, the 
degree of 8 increases as the degree of a decreases. Using this, one can see that there 
is a unique point in the computation of the Euclidean algorithm, where the degree of 
both polynomials is below the respective bound. More precisely, we run the algorithm 
until deg(a;,(X)) drops below | (¢+ 1)/2] for the first time and get 


deg a;,(X) < |(¢+ 1)/2) — 1 < |t/2J. 


In this round of the algorithm the following holds: 


deg A(X) = deg(@,(X)) = deg(9(X)) — deg(ax—1(X)) 
< tler DA= eA; 


Now, we set a(X) = a,(X) and 6(X) = bk(X) (see Algorithm 2.3.1). In [36, 34, 24], 
it is shown in more detail that they fulfill equation (2.9) and are unique. 

Finally, the computation of zeroes for ce(X) = a?(X) + X6?(X) leads to vectors 
e and m. The whole procedure of error correction is summarized in Algorithm 2.3.1. 


The runtime of the presented error correction algorithm may be estimated as follows. 
To compute the syndrome S,(X) employing the check matrix H, we need at most 
(n — k)n binary operations. To compute T(X), we employ the extended Euclidean 
algorithm. This takes © (t*m) binary operations, as the computations are modulo 
g(X), a polynomial of degree ¢ and coefficients of size m. Computing the square root of 
T(X)+X takes O (t?m7) operation since it is a linear mapping on Fom [X] /g(X). The 
subsequently employed variant of the extended Euclidean algorithm takes O (t?m7) 
binary operations, too. These steps are all comparatively easy in comparison to the 
last step of the algorithm, which is to find all roots of the error locator polynomial. 
This last step can be performed in n(tm? + tm) binary operations, thus the whole error 
correction algorithm needs 


O(n-t-m’) 


binary operations, as mt > (n — k). 
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Algorithm 2.3.1 Error correction of binary irreducible Goppa codes 


Input: A binary irreducible Goppa code G(L, g(X)), a vector c = m Ge, 
where m is a codeword and e is an error vector. 
Output: The message m and the error vector e. 


/* Compute the syndrome of c */ 


St) = as x“; mod g(X) (or use the parity check matrix H) 


if S.(X) =0 mod g(X) then 
/* there is no error, c is a codeword */ 
return(c, 0) 

else 
/* there are errors, c is not a codeword */ 
T(X)= Sz7!(X) mod g(X) 
T(X)=VT(X)+X mod g(X) 


/* extended Euclidean algorithm */ 
i = 0; ri(X) = a-1(X) = g(x); ro(X) = ao(X) = 7(X); B-1(X) 
Bo(X) =1 
while deg(r;(X)) > |(t+ 1)/2| do 

i=i+1 

Determine q;(X) and r;(X), s.t. r:(X) = ri-2(X) — gi(X)ri-1 (X) 

and deg(r:(X)) < deg(r_1(X)) 
Bi(X) = bi-2(X) + qi(X)bi-1(X) 
ai(X) = ri(X) 


o(X) = ((a;(X))? + X(B;(X))*) with c € Fom, s.t. ¢(X) is monic 
/* Determination of zeroes of oe( X) */ 


for i = 0 to n — 1 do 
if o(yi) = 0 then 


e; = 
else 

e=0 
m=c9e 


return(m, e) 


162 D. Engelbert, R. Overbeck, and A. Schmidt 


3 Attacks on the private key 


In the following sections, we present several attacks on the McEliece PKC. In this 
section, we view attacks that aim to get the private key from the public key. We will see 
that not every class of linear codes is a secure choice for the McEliece cryptosystem. 


3.1 The importance of S, P and M 


Suppose the set L which was used to generate the secret Goppa code for some public 
key of the McEliece PKC is known. This is true for normal applications, and if P is 
secret, then L may be revealed without security problems. 

Suppose that g is unknown. Let H’ be the systematic dual matrix of SG’ = G. 
Assume further that an attacker is able to recover P and M such that M~!H’P—! = H, 
where H = XYZ has the form given in Section 2 (represented over F2). Then he can 
compute g in the following way: The matrix g;Z is written in the first m rows of H. 
The matrix Y is determined by L. Thus the attacker can recover (X/g:) by solving 
some linear equations. Since g defines the same Goppa code as (g/g), the attacker is 
now able to correct errors efficiently. This breaks Niederreiter’s as well as McEliece’s 
cryptosystem. 

If the matrix P is revealed, it is easy to recover the generator polynomial from H’P7! 
using equation (2.6), as Se( X) = 0 for every binary n vector c with H/P~'c! = 0. 

The secret matrix S indeed has no cryptographic function in hiding the secret poly- 
nomial g. Today, there is no way to recover H with the knowledge of S~'G only. 

For the security of the McEliece PKC it is absolutely crucial to keep M secret. The 
knowledge of M~'H’ = HP is sufficient to recover g. We may interpret M~'H’ to be a 
matrix over Fm. As we will see in the following, this allows an efficient computation 
of g and P. 


3.2 Attack on the original Niederreiter PKC 


Niederreiter proposed his cryptosystem originally using generalized Reed-Solomon 
(GRS) codes. In 1992 V. M. Sidelnikov and S. O. Shestakov proposed a attack on 
Niederreiter’s cryptosystem using GRS codes [48] which reveals an alternative private 
key in polynomial time. We consider this attack to be worth mentionable, as Goppa 
codes are subfield subcodes of GRS codes, even though the results from [48] do not 
affect the security of the original McEliece PKC. 

In their attack, Sidelnikov and Shestakov take advantage of the fact that the check 
matrix of GRS code is of the form 


za" zat vs ay 
0 1 s 
z Z207 Z207 a8 2205 
H= e F?* G+), (3.1) 
0 1 
Znün nün © Zna, 


Note that the matrix X- !H = YZ from Section 2 is of this form, too. It follows that the 
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matrix H is a check matrix of a Goppa code, or to say it differently, each Goppa code 
is a subcode over a subfield of a GRS code. 

A public Niederreiter key is of the form H’ = PHM, where M is a non-singular 
matrix and P a permutation matrix. The permutation matrix P does not change the 
structure of H, so we don’t have to worry about P. The entries of H’ can be viewed as 
the values of polynomials M.; (whose coefficients are represented by the i-th column 
of M and therefore are denoted in the same way) multiplied by z;: 


zıMı (a1) 21M (a1) KER zı M.s (a1) 
H z2: Mı (a2) z2 M.2 (a2) oes z2 M.s (a2) 
ZnM.ı (an) ZnM. (an) > 2nM.s (an) 


where M. (£) = X$ -o Mjm. 

Sidelnikov and Shestakov conclude, that each entry of the row H}, can be expressed 
by a polynomial in a;. From this observation one can derive a system of polynomial 
equations whose solution yields the private key. We will need the notation H = Z-A 
with A := Z~'H and the diagonal matrix Z := diag [z1,..., zn]. 

We want to assume without loss of generality that a; = 1 and az = 0. In order to 
do this, we have to view the matrices H, M and H’ as matrices over F := F, U œ with 
1/œ = 0, 1/0 = œ and f (co) = faeg¢ for every polynomial f (x) = a fixi over 
F,. Sidelnikov and Shestakov show that for every birational transformation (F-auto- 
morphism) 


ax+b . 
(x)= TEE with a,b,c,d € Fy, ad — bc £0 
there exist z1, ..., z| and a matrix M’ such that 
adla) agla) o agla) 
wa | A l e o | im 
mPlan) 2b (An)! +++ 2h Can)" 


For every three numbers a1, a2, a3 € F; it is possible to find a birational transformation 
@ such that 


ọla) = =a 
d(az) =0 =r 
ġ(a3) =% =2%3 
(a) =a;, j¢{1,2,3}. 


Thus we can make the assumption mentioned above. Note that because 73 = œo we 
have x; # oo for all i Æ 3. 

We can use Algorithm 3.2.1 to recover a (alternative) private Niederreiter key from 
the public key. The algorithm generates a system of polynomial equations based on 
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the assumption zı 1, z2 = 0, x3 co and solves it. We are going to explain the 
algorithm briefly. First we have to remember the identification of the entries of H’ with 
polynomials evaluated at the a;. Thus for c; € ee i = 1,2 andj € {1,...,n}, 
the scalar product acs is the value of a polynomial 7; at x;, where 7; is of degree 
at most s. Defining Jı = {1,s+2,5+3,...,2s} and J = {2,5+2,5+3,...,2s} 
we can solve H!, c; = 0 fori = 1,2. We get two polynomials 7, 72 with zeroes in 
U542,---,%25 and in z1, x2 respectively. We know that x; = 1, x2 = 0; thus, 


Hy.c1 _ m (2j) _ m (œ) 2; -1 _ m (z) 2-1 


Hj.c2 ma(zj) m(o0) zj m (£3) £j 


’ 


which reveals x; for j ¢ {1,2,s+2,...,2s}. To determine the missing zj, j € 
{s+2,...,2s} we repeat the procedure (introducing c3, J3, c4 and J4) and take into 
account the knowledge of the already determined x;. Afterwards we perform another 
birational transformation ¢’ on the x; such that a; = ¢’ (a;) are finite. 

Knowing all a;, i € {1,...,n} we are able to recover z2,..., 2,42 assuming that 
zı = 1. Defining Js := {1,2,...,s +2} and solving csH’,, = 0 for cs € F+! we get 
a polynomial such that Sii csjz;Mi. (xj) = 0 fori = 1,...,s +2. Expressing this 
in matrix form we get: 

cs(HM) z. = cs5(ZA) 7,M = 0 


and consequently we know that cs5(ZA) 7, = 0, which gives us a linear system with 
s + 1 unknowns and s + 1 equations since z1, A and cs are already known. Now we 
can determine M and in continuation the remaining z;. Algorithm 3.2.1 has a running 
time of O (s4 + sn). For details see [48]. 


Remark 3.1. Algorithm 3.2.1 can not be applied to McEliece/Niederreiter cryptosys- 
tems using Goppa codes. Even though for every Goppa code there is a check matrix 
H which has the same structure as the check matrix H for GRS codes in equation (3.1) 
(see [36]), there is no analogous interpretation of H’ for the Niederreiter cryptosystem 
using Goppa codes. We are able to view H as a matrix over F2 if we are using Goppa 
codes, whereas this doesn’t work for GRS codes. Thus we have different matrices M: 
Me Re EFI for the GRS case and M € per for Goppa codes. Thus, 
in the latter case, H’ has no obvious structure as long as M is unknown. 


3.3 Weak keys and the Support Splitting Algorithm 


P. Loidreau and N. Sendrier proposed a way to identify a subclass of Goppa codes, 
namely the ones with binary generator polynomial g € F2[X]. If an attacker knows 
that the secret generator polynomial is binary, this reduces the search space of a brute 
force attack on the private key [35]. Their general idea is to take advantage of the Sup- 
port Splitting Algorithm (SSA) presented in [45]. The SSA can be used as an oracle to 
decide whether two codes are permutation equivalent as well as to determine the auto- 
morphism group of a code. P. Loidreau and N. Sendrier use this ability to determine 
if the generator polynomial of a Goppa code is a binary (irreducible) polynomial. If 
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Algorithm 3.2.1 GRSrecover [48] 


Input: H’ = (h;;) € F}*(*+D and t, a Niederreiter Public key. 
Output: H,P of the corresponding private Niederreiter Key. 


Jı ={1,s+2,s+3,...,2s};, J = {2,5+2,6+3,...,28}; 
Ja = {1,3,4,...,8 + 1}; Ja = {2,3,4,...,85 + 1}; Js = {1,2,...,5 +2}; 
for i= 1 to 4 do 
solve H⁄,.c; = 0 with c; € Fs*! \ 0; 
for j Z Jı U Jh do 


/ 
Bij = H}.c1; B2; = H}.c2; 
b; = Biz / B23; 


for j € {n,2s,...,s +2} do 
03; = Hj.c3; Baj = Hj.c4; 


bj = Pn Ban . me // Note, that we already know by. 


T1 l; T3 0; T3 00; 
for j = 4 to n do 
// Determining the values of xj. 
xj = b3/ (b3 — bj); 
choose some a € F, differing from all x; 
for j = 1 to n do 
// Mapping the z; to finite elements. 


l, Aj. = (a9,..., a3); 


aj = (a = 25) 
solve esH’,, = 0 with es € Fst! \ 0; 
zı = 1; 
find Z2; +.. 3 Zs+2 (S Fa such that pee 5525 Aj. = 0; 
fori = 0 to s do 

solve Aj,.M.; = (a7 Hi 


M = (Mo,...,M.s); 
for j = 3 to n do 
zj = Hj. (M7!) 93 
Return a1, ..., an, Z1,- --, Zn, M; 
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this is the case, we search the space of the Goppa codes with binary generator polyno- 
mial for a code, which is equivalent to the one given by the public generator matrix. 
If such a code is found, the SSA can be used to recover the permutation matrix P. 
There is another attack by Gibson [21], which aims to recover the matrix P, but we 
forbear presenting it here, as its average work factor is larger than 2”™0+00)) binary 
operations [46]. 

The Support Splitting Algorithm was presented to solve the problem to decide 
whether two codes are permutation equivalent in (almost) polynomial time. We will 
explain it in the following. Our notation in the following presentation of the algorithm 
will differ slightly from that used in [45] so as not to confuse the reader of the paper 
with two different definitions of a signature. The main idea is to partition the index set 
of the code C into small sets, which are fixed under operation of elements of Aut (C). 
We have to introduce some definitions first: 


Definition 3.2. Let £ be the set of all codes and let M be an arbitrary set. A function 
f: £ xN M is called permutation invariant if for all (n, k) codes C and all permu- 
tations m on {1,...,n} the equation f (C,i) = f(m (C),m (i)) holds. A permutation 
invariant function f is called discriminant for C if there exist i,j € {1,...,n} s.t. 
f (C,i) # f (C, j). It is further called fully discriminant for C if 


Vigetl,...n} 1# J > f (Ci) £ fC i). 


If we have two permutation equivalent codes C and C’ and a fully discriminant func- 
tion for C, then we are able to name the permutation 7 s.t. 7 (C) = C’. In order to build 
a discriminant function for C, we employ the weight enumerator and punctured codes: 


Definition 3.3. Let C be an (n, k) code over a field F. Let J be any subset of {1,...,n}. 
Then the code C punctured in J is defined by 


Cy = {x € F"|x; = 0 and dyecVigsXj = yj} A 


The weight enumerator W : £ ++ N7 is the function s.t. W (C), is the number of words 
of weight 7 in the code C for alli € N. 


Example 3.4. The function W’ : L x N —> NN,(C,i) + W (Cgi) is permutation 
invariant. Furthermore, W’ is discriminant for most binary (n, k) codes C. 


We are going to use discriminant functions to partition the index set of a code. Start- 
ing with a function f discriminant for C, we want to construct a function g more dis- 
criminant for C in the sense of 


lg (C,{1,...,})| 2 |f (C,{1,.-..})| 


for the (n, k) code C. The function g is called strictly more discriminant for C if we can 
replace > with > in the inequality above. We repeat this process until we get a fully 
discriminant function for C. The following two definitions will enable us to do so. 
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Definition 3.5. Let f, g be two permutation invariant functions. We define the product 
of f and g as 


fxg: £LxN-MxM, 
(C, i) => (F (C, i) ‚g (C, i)), 
and the dual of f as 
ft: LxN=>=M, 
(Ci) = f (C+,i). 
The function f is called self-dual if f = f+. 


It is easy to see that f x g is more discriminant than f. With the definitions above, 
we are able to describe the Support Splitting Algorithm (Algorithm 3.3.1). It mainly 
consists in a while-loop in which Definitions 3.5 and 3.3 are used to get more discrimi- 
nant functions for a given code C, until a fully discriminant function for C is generated. 
After the while-loop the index set of C is partitioned in a standardized way. 


Algorithm 3.3.1 Support Splitting Algorithm (SSA) 


Input: C generator matrix of a linear (n x k) code C, 
S: L x N — M permutation invariant discriminant for C. 
Output: P = {(P; J) hicjen Pi E U1,---,n}, called labeled partition. 
T a permutation invariant, discriminant function for C. 


In = {1,..- n}; 
j = 0; 
To = 8; 


while (a function strictly more discriminant for C than T} exists) do 
choose L C T; (C, In) at random; 
Ty41 (C, i) = T} (C, i) x S (Ctiernireierp i) X S+ (Cuernire neri); 
jJ=j+1; 
T = Tj; 
for j = 1 to n do 
if j € Ui<i<;j Pi then 
P; = 0; 
else 
P; = {i € LIT (C,i) =T (C, j)}; 


There are two main difficulties with the algorithm. The first one is that it won’t 
terminate if we are not able to generate a fully discriminant function for C in the while- 
loop. Only then we would know that there does not exist any further refinement of 
Tj. However, Remark 3.10 will give us a termination criterion for binary Goppa codes. 
The second difficulty is to find a good choice for the function S. According to [35] and 
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[45] for binary codes C we choose 


S: £xN —NNXN 
Ci) = (w (Cia n (Ca) ) ,W (Cr n C] 


as input for SSA, where W is the weight enumerator. This function is discriminant in 
practice. Choosing suitable criteria for exiting the while-loop, Algorithm 3.3.1 runs in 
time 


(3.2) 


O (r? J gdim(cne*),,2 log (n)) , (3.3) 


see [35]. To see that the average running time of SSA is polynomial bounded we 
need to estimate the dim (c N C+)-term in equation (3.3) and the cost for computing 
the weight enumerator W. The worst-case computation cost of W for a q-ary code of 
length n and dimension k is proportional to ng" operations in F. However, the average 
cost of computing the weight enumerator is proportional to 2n operations [45]. We 
continue with determining the dim (C N C+)-term: 


Proposition 3.6. Let C be an (n, k) code over Fy. We call C N C+ the hull of C. The 
average dimension of the hull of C tends to a constant when the size of the code goes 
to infinity. This constant is equal to 


The proportion of (n, k) codes over Fg with a hull of dimension | > 0 is asymptotically 
equal to 
1 


i=0 
Proof, See [44], [45]. o 


As we have already mentioned SSA is unlikely to terminate in the version of Algo- 
rithm 3.3.1. Thus, we have to make some assumptions on its output if we choose other 
termination criteria for the while-loop than the one given in the algorithm. We will see 
that these assumptions lead to a suitable termination criterion if C is a Goppa code. 

We write P = SSA (C) if the labeled partition P = {(P;, j)}i<j<n 18 output of SSA 
on input of the generator matrix of C. The nonempty P, of the output of SSA are called 
the cells of P. Two labeled partitions P and P’ are called equivalent iff a permutation 
T € Sn exists, s.t. for all s € I, |Ps| = (Pita |; we write P = P’. The fundamental 
property of SSA is that 

C=1 (C) > P= P, 


where 7 € Sn. Thus the output of SSA on input of two permutation equivalent codes is 
identical and the orbits of the elements of the code support under the action of Aut (C) 
constitute the finest obtainable partition. 
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Assumption 3.7. If SSA on input C and C’ returns P, T and P’, T’ respectively, then 
(T({C),N)=T((C),N) AP=P) = (Ch=a((C)). 


This assumption is satisfied in practice, if the number of cells is larger than a few 
units. From this observation the following assumption about the behavior of SSA is 
derived: 


Assumption 3.8. On input of the generator matrix of C, the SSA returns a labeled 
partition whose cells are the orbits of the elements of the code support under the action 
of Aut (C). 


Assumption 3.8 seems to hold for (binary) codes of length > 50 and is based on 
experiments by P. Loidreau and N. Sendrier [35]. Now, if we know Aut (C'), then we 
can easily determine for every C discriminant function T whether there exists a strictly 
more discriminant function for C, or not. Fortunately we can determine Aut (G) for a 
Goppa code G in some cases: 


Theorem 3.9. With the notation of Remark 2.2. Let G (L, g) be a binary (n, k) Goppa 
code defined by a generator polynomial g € F gm |X] with coefficients from a subfield 
Fs of Fom. If n = q”, then Aut (G) contains the automorphism 

o : Fgm > Fgm, rr r”. 
Note that the elements x € F gm are the code support and correspond to positions which 
are determined by L. 


Proof. The proof is derived from a theorem by Moreno [36], [35]. o 


Here we will only consider s = 1, i.e. only binary Goppa codes with binary gen- 
erator polynomial. In such cases, the group generated by the Frobenius field automor- 
phism is in general exactly Aut (G) [35]. Based on this theorem and the assumptions 
above, we get the following termination criterion for Algorithm 3.3.1: 


Remark 3.10. Let G be a binary Goppa code over Fm with binary generator polyno- 
mial. Assume, that the group generated by the Frobenius field automorphism over F gm 
is exactly Aut (G). Let PA“ be the set of different orbits of the code support under the 
action of Aut (G). Then the condition 


(a function strictly more discriminant for G than T; exists) 
in Algorithm 3.3.1 is equivalent to 
IT; (G,N)| < [P^]. 
Further, the running time of Algorithm 3.3.1 is given by equation (3.3). 


Let’s return to the original problem. We do know the public McEliece key (G, t) and 
want to reconstruct the private key. If Assumptions 3.7 and 3.8 hold, we can identify a 


170 D. Engelbert, R. Overbeck, and A. Schmidt 


weak key (i.e. a McEliece-Instance, generated with a binary generator polynomial) by 
comparing the cardinalities of SSA ((G)) with the cardinalities of the different orbits 
of the elements of the code support under the action of Aut ((G)): If the SSA does not 
terminate or returns a function T such that 


> 


IT (C, N)| £ P^" 


then we assume that (G) = G does not have a binary generator polynomial. Otherwise, 
we identify a “weak key”, i.e. we assume that G has a binary generator polynomial. 

Once a weak key is identified, we can determine the binary Goppa polynomial used 
to generate the public key G by brute force. We check if 


SSA ((G)) = SSA (G(L, g(X))) 


for all (irreducible) binary polynomials g of degree t, where G(L, g(X)) denotes the 
Goppa code defined by the set L and g (compare Section 2). After having identified 
the generator polynomial of G, one can determine the secret permutation matrix P. In 
order to do so, we have to pick ai € {1,...,n} s.t. Aut (Gy) = {1} and a j out 
of the orbit of i under Aut (G). Then Gr} and (G) {j} are equivalent and we get the 
permutation by applying SSA to both. This produces partitionings containing only 
cells of cardinality one (under Assumption 3.8) and the matches between the cells 
provide the permutation. The authors of [35] claim that most 7 serve the last condition. 
The number of irreducible polynomials of degree 50 is approximately 2“4. Thus the 
average runtime of the attack on weak keys for McEliece parameters n = 1024, t = 50 
is 
(2% +1) O (n? + 2¥n? log (n)) = 2”, 

where R is given in Proposition 3.6. We conclude, that the choice of n = 1024, t = 50 
for McEliece does not reach the desired level of security, if we want to use binary 
generator polynomials. 


There is a possibility to speed up this attack by a factor (log (n)? if we first check 
the idempotent subcodes against each other in the brute force part of the attack, instead 
of comparing the Goppa codes themselves. 


Definition 3.11. Let G be a Goppa code. Then a word a € G is called idempotent if 


a= (diee aaa) = (agiti Boina) . 


The set of all idempotents of G is a linear subcode of G and is called the idempotent 
subcode Tg of G. 


The subcode Zç may be mapped to a linear code TZ of length equal to the number of 
different orbits of Fam under o [35]. The code Z has the same dimension as Zç and its 
length is shorter by a factor close to m. We conclude that the use of the idempotent 
subcode provides a speedup of the attack close to the factor m°, thus the choice of 
a binary generator polynomial for the secret Goppa codes does not provide sufficient 
security, even for parameter sets with n > 1024. 
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Remark 3.12. This attack may be generalized to detect Goppa codes with a generator 
polynomial over any subfield of Fm but the class detected this way is much too big 
to perform an exhaustive search. Further, the number of polynomials classified by 
this property is much too small to provide an effective attack against the McEliece 
cryptosystem. 


4 Ciphertext only attacks 


In this section, we will first present algorithms for solving the general decoding prob- 
lem (see Problem 1.3). These algorithms yield to different attacks against cryptosys- 
tems based on linear error-correcting codes. On input of a code generator matrix G (a 
part of the public key) and a ciphertext c, these attacks compute the plaintext corre- 
sponding to the ciphertext c. Although these attacks require exponential time, they are 
faster than the brute force algorithm. 

At the end of the section, we will describe an attack by Brickell and Odlyzko [7] 
based on lattice reduction and show why this attack does not work with McEliece or 
Niederreiter cryptosystems based on binary Goppa codes. 


4.1 Generalized information-set-decoding attack 


This attack was proposed by McEliece in his original paper [37]. Lee and Brickell sys- 
tematized and generalized it in [30]. It solves the general decoding problem assuming 
the knowledge of an upper bound for the distance to the next code word. 

We will begin by presenting the idea of the attack. Assume we are given a generator 
matrix G of a linear error-correcting code and a ciphertext c = mG $ e where e is the 
error vector of weight t. Then, we randomly choose k columns of G and c. If there is 
no error in the chosen columns of c and the k x k matrix built from k columns of G is 
invertible, then we can easy determine m. 

Now we will give a detailed description of the attack. It proceeds as follows. Let 
T C {0,...,n—1} with |Z| = k = dimG. As in Section 1.2 we denote by Gz, cz, and 
ez the k columns picked from G, c, and e, respectively. Then the following relationship 
is true 


cz = mGz Ger. 


If Gz is non-singular and ez = 0, then 
m= crGz. 


If Gz is non-singular and wt(ez) is small, then m can be recovered by guessing ez and 
checking whether 


wt((cr @er)Gz'GSc) = t. 


We will estimate the work factor of this attack (see Algorithm GISD). The number 


of sets Z, such that there are exactly i errors in vector cz is (‘)(7_‘). The number of all 
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Algorithm 4.1.1 GISD 


Input: A k x n generator matrix G, a ciphertext c = mG @ e, where m is the 


plaintext and e is the error vector of weight t, a positive integer j < t. 
Output: The plaintext m 


while true do 
Choose randomly Z C {0,..., — 1}, with |Z| = k. 
Qi = Gz';Q =QiG 
Zz = c @ czQ2 
for 1 = 0 to j do 
for all ez with wt(ez) = i do 
if wt(z ® ezQ2) = t then 
return((cz © ez)Q1) 


sets Z with |Z| = k is (%). Therefore, the expected number for choosing the set Z such 
that there are at most j errors in vector cz is 
7 
I> DS Am 
i0 (7) aa) 
i=0 i) ki 


The number of error vectors ez with wt(ez) < j is 


n=5 (i) 


Therefore the expected work factor of the attack for given j and (n,k) Goppa code 
with minimum distance 2t + 1 is 


W; = aT;(k? + N;k), 


where a is a small constant. 
In [30] the authors propose to use j = 2 to minimize the W;. 


4.2 Finding-low-weight-codeword attacks 


In this section, we will present three algorithms which solve the problem of finding 
weights (see Problem 1.4). These algorithms can be used to break McEliece or Nieder- 
reiter cryptosystems in the following way. Assume we know a generator matrix G of 
a linear error-correcting code with minimum distance t and a ciphertext c = mG Ge, 
where wt(e) < t/2. We compute the codeword with the minimum weight in a new 


code generated by matrix 
G 
iS 
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Since this codeword is e, this attack can be used to recover the plaintext m from the 
given ciphertext c. 

All three algorithms presented below are based on the same idea. Assume we have 
a code C given by a generator matrix G. The algorithms first search for codewords 
of small weight in a restricted code generated by Gs where S is a random subset of 
{0,...,2 — 1}. Then, they expand these codewords to codewords in C and check 
whether the codewords in C have the desired weight. The algorithms differ in the way 
of choosing for set S and the strategy of searching for codewords of small weight in 
the restricted code. 

Before we describe the algorithms, we will give some necessary notations and defi- 
nitions. 

Let N = {0,...,n — 1} be the set of all coordinates. As in the last section, we will 
use the set Z C N with |Z| = k = dimG. 

By G = (V,W)z, we will denote the decomposition of G in two matrices V and W, 
such that V = (G;)ez and W = (G;);¢z, where G; is the i-th column of G. 

Now, we will introduce the information set which allows us to reduce the computa- 
tion cost in the algorithms we will present below. 


Definition 4.1. Let Z C N, such that |Z| = k. Then Z is an information set for the 
code C iff there is a generator matrix G for C such that G = (Idx, Z)z. 


The following statement for information sets is true. 


Theorem 4.2. Let T be an information set and G = (\d,, Z)z the corresponding sys- 
tematic generator matrix. Then T' = (Z\{X}) U {u} is an information set iff Zy „ = 1 


Proof. Since G = (Id;, Z)z, we have 


G, = Zy p + 5 Zi „Gi. 
i€Z\{A} 


Columns indexed by Z are linearly independent, therefore G, and (G;);¢z\{y} are lin- 
early independent iff Z) ,, = 1. O 


Now we will describe the algorithms by Leon, Stern, and Canteaut and Chabaud. 


4.2.1 Leon 


In [32], J. S. Leon proposed a probabilistic algorithm for computing minimum weights 
of large linear error-correcting codes. This algorithm can also be adapted for comput- 
ing codewords of minimum weight in a linear code. 

In this paper, we will present a version of the algorithm which is slightly different 
from version presented by Leon in [32]. This version was presented by Chabaud in 
[11]. 

The input of the algorithm is a generator matrix G, the weight t, and two additional 
integers p and / which control the runtime and the success probability of the algorithm. 
The algorithm returns a codeword of weight ¢ or fails. The algorithm executes the 
following steps. 
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Step 1: Randomly choose an information set Z and apply a Gaussian elimination in 
order to obtain a systematic generator matrix G* = (Idx, Z)z. 


Step 2: Randomly choose a set £ C M\Z consisting of l elements. 


Step 3: For each linear combination A of p or fewer rows of matrix G7,,- compute 
wt(Azuc). 


Step 4: If wt(Azuc) < p, check whether the same linear combination applied to ma- 
trix G* has weight t. If that is the case, then return the last linear combination. If 
there is no linear combination which fulfills the above condition, then the algo- 
rithm fails. 


Next, we will analyze the algorithm. Thereby we assume that zeros and ones in the 
codewords are distributed almost uniformly. 

At first, we will determine the success probability. It depends on favorable choices 
of Z and £. Assume we have a codeword e with wt(e) = t. Fix p,l € Z, then the 
following conditions lead to favorable choices of Z and £: 


ICN, IZ] = k, £ E€ N\ZT, Ic] = l, wt(ezuc) <p. 
Therefore, Leon’s algorithm succeeds with probability: 


PG) 
Prlalgorithm succeeds] = 5 Tay 
k+l 


j=1 
Next, we will estimate the expected work factor of the algorithm. 


F ae : i 2 
e The Gaussian elimination performed in step 1 requires on the average £ (n— EH) 


bit operations. 
+ Step 3 requires }°F_, OG — 1) additions of /-bit words. 
by Et (i) 
j 2! 


e Since in step 4, condition wt(Azuc) < p is true approximately eG ( 
p-j (l 
times. The algorithm requires D i Gar j-1) zia (i) additions of n-bit words. 
Therefore, the expected work factor of Leon’s attack against McEliece cryptosystem is 


(4.1) 


n sale ea a 0) 
k+l La 


To minimize the work factor, in [11] the parameters of Leon’s attack are chosen to be 
p =3 andl ~x k + log, (n). 
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Algorithm 4.2.1 LEON-LWCW 


Input: A k x n generator matrix G, positive integers t, p, and l. 


Output: A codeword of weight t. 
N = {0,...,n—1} 


while true do 


/* Step 1 */ 
IT=0;P=0 
fori = 1 to k do 
Randomly choose r € M\Z;T =TU {r} 
Randomly choose c € {1,...,k}\P such that Gne = 1; P = PU {c} 
/* Eliminate all 1’s in column c */ 
for j = 1 to k do 
if j A r and G; = 1 then 
G; = G; — Gr, where G, is the x-th row of G 


/* now we have G = (Idx, Z)z */ 


/* Step 2 */ 
Randomly choose £ C M\Z such that |£] = 1 


/* Steps 3 and 4 */ 
for all linear combinations A of p rows of Gzug do 
if wt(Azuc) < p then 
Construct c from G by taking the same rows as in A 
if wt(c)=t then 
return(c) 


4.2.2 Stern 


In this section, we will present a slightly modified algorithm from [49]. We apply our 
algorithm to a generator matrix of a code instead of a parity check matrix as presented 
by Stern. 

On input of a generator matrix G and three integers t, p and l, the algorithm returns a 
codeword of length ¢ or fails. The additional parameters p and / allow us to control the 
runtime and the success probability of the algorithm. Thus, knowing that there exist a 
codeword, we can repeat the algorithm until it succeeds. 

The algorithm is based on the following idea. It randomly splits G into two sub- 
matrices which consist of rows of matrix G. In each matrix, the algorithm computes all 
linear combinations of p rows and checks whether certain parts of these linear combi- 
nations are equal. If they are equal, then the algorithm checks whether the weight of 
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remaining parts is equal t. In this case the algorithm succeeds. 
The algorithm performs the following five steps: 


Step 1: Randomly choose an information set Z and apply a Gaussian elimination in 
order to obtain a systematic generator matrix G* = (Idx, Z)z. 


Step 2: Randomly spit Z into two subsets Z; and 72. Each element of Z is added either 
to Z, or to Zz with probability 1/2. This causes a splitting of the rows of Z in 
Z7.. and Zz. 


Step 3: Randomly choose a set £ C M\Z consisting of l elements. 


Step 4: For each linear combination A (resp. B) of p rows of matrix Zz,. (resp. Zz,.) 
compute Aç (resp. Bz). 


Step 5: For each pair (A, B) with As = Br check whether wt(A + B) = t — 2p. If 
that is the case, then return vector e consisting of a linear combination of rows of 
G*, where the same rows as in A + B are taken. If there is no pair which fulfills 
the above conditions, then the algorithm fails. 


We will analyze the algorithm. At first, we will determine the probability it succeeds. It 
depends on choices of Z, Z1, Z2, and £. Assume we have a codeword e with wt(e) = t. 
Fix p,l € Z. Then we have the following conditions: 


1. |Z| = k and wt(ez) = 2p, 

2. Tı C T, wt(ez,) = p, and Z, = T\Z;, 

3. L E€ N\Z, |L| = l, wt(eqnz) = t — 2p, and wt(ec) = 0. 

These conditions implicate the probabilities of choosing such sets Z, Z,, T2, and £ 
which yield to the given codeword e. 


R 


Pr[of choosing a favorable Z] = ) 
k 
(a) 
Pr[of choosing a favorable Z| = ae (here we assume 2p < k) 
(erates) 
Pr[of choosing a favorable £] = ——-— 


ca) 
The probability of success of Stern’s algorithm is the product of the above probabilities. 
Thus, we have 


Pr[the algorithm succeeds] = Pr[of choosing a favorable Z]- 
Pr[of choosing a favorable Z,]- (4.2) 


Pr[of choosing a favorable £]. 
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Algorithm 4.2.2 STERN-LWCW 


Input: A k x n generator matrix G, positive integers t, p, and l. 
Output: A codeword of weight t. 


N = {0,...,n—1} 


while true do 


/* Step 1 */ 
T=0;P=0 
for i = 1 to k do 
Randomly choose r € V\Z;Z =TU {r} 
Randomly choose c € {1,...,k}\P such that Gre = 1; P = PU {c} 
/* Eliminate all 1’s in column c */ 
for j = 1 to k do 
if j A r and G; < = 1 then 
G; = G; — Gr, where G, is the x-th row of G 


/* now we have G = (Idx, Z)z */ 


/* Step 2 */ 
Randomly split Z into Z, and Z2 


/* Step 3 */ 
Randomly choose £L C M\Z such that |L| = 1 


/* Steps 4 and 5 */ 

for all linear combinations A of p rows of Zz, do 
store (Az, A, index of rows) in a hash table T 

for all linear combinations B of p rows of Zz, do 

if there exists (Bz, A, index of rows) € T and 

wt((A + B)w\(zuc)) = t — 2p then 
Construct c from G by taking the same rows as in A+ B 
return(c) 
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Next, we will estimate the expected work factor. 


e The Gaussian elimination performed in step 1 requires on the average as (n— EH) 


bit operations. i 

e Step 4 requires on the average 2lp(*/ 2) bit operations. 

e Instep 5 we assume that the distribution of values of A, (resp. Bz) is roughly uni- 
form. Then, any bit vector of dimension / is hit by approximately C 2) /2! elements 


of A (resp. B). It follows, that step 5 requires approximately 2(n — k)(“ ; 2? /2! bit 
operations. 


Thus, Stern’s algorithm requires on average 


2ipk2(n — k)(n— EH) e Aa (4.3) 


bit operations. 
By combining the results of (4.2) and (4.3), we conclude that the expected work 
factor of Stern’s attack against McEliece cryptosystem is 


ar Ipk2(n = Kln = DEA CN (4.4) 
lesen cm marae á : 


4.2.3 Canteaut and Chabaud 


As mentioned above, Stern’s algorithm has to be repeated very often in order to decrypt 
successfully. Each repetition performs in the first step a Gaussian elimination which is 
very time consuming. In [9] the authors suggest another strategy for this step. Based 
on Theorem 4.2, they suggest to choose a new information set not randomly but by 
modifying only one element in the old one. The complexity of this new step is approx- 
imately k(n — k)/2 binary operations instead of k?(n — ##) in Stern’s algorithm. 

The precise analyze of the Algorithm CC-LWCW can be found in [9, 10]. Here 
we will present only the results. The algorithm is analyzed via modeling by a Markov 
chain. For this purpose we need a random variable X; which represent the ith iteration 
of the algorithm and corresponds to the number of non-zero bits of ciphertext c in T. 
X; takes one of the values of the set E = ({1,...,t}\{2p}) U {(2p)s, (2p) r } The set 
of success states is S = { (2p) s}. The set of failure states is F = E\S 


Theorem 4.3. The following results for the Algorithm CC-LWCW are true: 


1. The average number of elementary operations performed in each while-iteration is 


onnan (P) ranee- ss (CP) +2) te 


where S is the size of a computer word (= 32 or 64). 
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Algorithm 4.2.3 CC-LWCW 


Input: A k x n generator matrix G, positive integers t, p, and l. 
Output: A codeword of weight t 


N = {0,...,n— 1} 


/* Step 1 */ 
T=0;P=0 
for i= 1 to k do 
Randomly choose r € M\Z;T =TU {r} 
Randomly choose c € {1,..., k}\P such that G, e = 1; P = P U {c} 
/* Eliminate all 1’s in column c */ 
for j = 1 to k do 
if j Ar and G; < = 1 then 
G; = G; — Gr, where G, is the x-th row of G 


/* now we have G = (ldx, Z)z */ 
while true do 


/* Step 2 */ 
Randomly split Z into Z, and Z with |Z\| = ||Z|/2] 


/* Step 3 */ 
Randomly choose £ C M\Z such that |£] = 1 


/* Steps 4 and 5 */ 

for all linear combinations A of p rows of Zz, do 
store (Az, A, index of rows) in a hash table T 

for all linear combinations B of p rows of Zz, do 

if there exists (Bc, A, index of rows) € T and 

wt((A + B) w\(zuc)) = t — 2p then 
Construct c from G by taking the same rows as in A+ B 
return(c) 


/* New step | */ 
Randomly choose A € T 
Find unique r such that G, à = 1 
Randomly choose u € V\Z, such that Z, „ = 1 
T= (Z\{A})U {a} 
/* Update Z appropriate to new Z */ 
fori = 1 to k do 

ifr A i and G; „ = | then 

G; = G; — G,, where G, is the z-th row of G 


180 D. Engelbert, R. Overbeck, and A. Schmidt 


2. Let rolu) = Pr|Xo = u], Paw = Pr| Xi = v/Xi-1 = ul, = (Pav)u ver, and 
R= (I — Q)`!. Then the expectation of the number of while-iterations N is 


E(N) = 5 Tolu) 5 Rua: 


ucr veF 


3. Suppose the number of codewords of weight t is A; (Note, that A, = 1 in our attack). 
Then the overall work factor of the algorithm is 


Q,iE(N) 


W, = 
pl At 


(4.5) 


The exact values of the entries of the matrix P and a more detailed analysis may be 
found e.g. in [10]. To get a approximate work factor, one can replace the k? (n — kel). 
term in equation (4.4) by k(n — k)/2. 


4.3 Statistical decoding 


This attack was presented by A. Kh. Al Jabri in [1]. It is based on the idea that vectors 
from the dual space of a binary code which are not orthogonal to the ciphertext reveal 
some information on the error positions. This attack needs an algorithm which finds a 
sufficient number of vectors of the dual code of certain weight. It is not clear what the 
running time of such a search would be, since the problem of finding the desired set of 
vectors is connected to Problem 1.4 (SUBSPACE WEIGHTS). Further we know little 
about the true minimum distance of the dual code (see e.g. [13]). 

Let Hu be a set of vectors of weight w of the dual space of the (n,k,2t + 1) linear 
binary code G with generator matrix G. Let y be the sum of a codeword uG € G and 
an error vector e with weight at most t. A. Kh. Al Jabri points out, that for randomly 
generated codes the probability that a value of | appears in the ¿i-th position of h € Hw 
with yh” = 1 depends on i being an erroneous position in the vector y. Let p be the 
probability that h; = 1 and 7 is an erroneous position, and q be the probability that 
h; = | and 7 is a non-erroneous position. Then we have 


pews) 4 Daa 
Dae) Die ees 
for all h satisfying yh? = 1. 

The idea of statistical decoding is quite similar to the one of iterative decoding; see 
[15]. It consists of estimating the probability that h; = 1 and yh! = 1 for each position 
i considering different vectors h. Unlike at iterative decoding we do not determine a 
single error position, but try to determine an information set of non-error positions. 
If for example p > q, then we assume that 7 is an non-error position if the relative 
frequency estimate is lower then a certain bound. Once we have found a (presumably) 
non-erroneous information set by modifying the bound, we try to correct errors. 


We can recover u using Algorithm 4.3.1 if Hw is properly chosen. Note that for i € 
{1,...,m} an (non-)error position the value v;/v$ with vf := yey, (yh? mod 2) 
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is the relative frequency estimate for p (q respectively). The mean value of v; is pry ; 
and its variance is o? = p(p — 1)vý. The sets I; and Jy are introduced to cover the 
cases where p < q or p > q. 


Algorithm 4.3.1 STATDEC 
Input: Hu, y. 
Output: u, the information vector. 


v= Ď hen, (yh' mod 2)h €Z”. 

choose J; = {positions of the k largest entries of v} s.t. G.z, is invertible. 
choose J = {positions of the k smallest entries of v} s.t. G.;, is invertible. 
u = yn G7 

w = yn G 

if weight(ujG @ y) < t then 


u = uj 
else 
u = u? 


The work factor for Algorithm 4.3.1 is 
O (n: |Hy| + 2k? + kn) 


binary operations having computed the set Huy in advance. The author of [1] claims 
that this can be done e.g. by the methods of [9], which is to be doubted (compare [40] 
and [15]). 

The difference between p and q is very small for large codes, so we need a set Hw 
s.t. the relative frequency estimate of p (and q respectively) lie within € < |p — q| of 
the actual values with a 0.95 reliability. Al Jabri’s initial analysis of the size of Hu 
needed for error correction seems to be too optimistic. A more realistic bound is 


Hw] =5.4-p(1—p) (4.6) 


1 
(p—q)* 
from [40], which is about a factor 2'4 larger than Al Jabri’s original bound (compare 
as well [15]). 

It is obvious that a set #(,, of the desired size will not even exist if w is chosen too 
small. Goppa codes, BCH codes and GRS codes have a weight distribution “close” to 
the expected weight distribution of a random code, which is the binomial distribution 
[1]. Consequently, we get the following condition for Hw: 


Hal < (e 
w 


if we want to decode e.g. a random code or a Goppa code. 
Table 1 shows some example sizes to attack McEliece this way, where the work 
factor refers to the computational costs after having computed the set Hw. One can see 
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that the original parameters (1024, 512, 101) are no longer secure if we can compute 
the set Hu efficiently, and if a set 1,, of size given in equation (4.6) is sufficient for 
correct decoding. 

In [40] an improved version of STATDEC is proposed, but the author concludes that 
this improvement is not sufficient to attack the McEliece cryptosystem by statistical 
decoding due to the large amount of precomputation needed. The authors of [15] con- 
clude that for iterative decoding a smaller set Hw as for the initial STATDEC sufficient 
as well. However, the size of Hu needed is still very large and in consequence it is 
infeasible to compute Ha by the existing methods. 


McEliece parameters | w |p — ql [Hul (")2-* | Workfactor 
(2™,k,d = 2t+ 1) STATDEC 
(1024, 524, 101) 137 0.2- 1077 2 9323 251 

(1024, 524, 101) 153 | 0.21-10-8 | 258 294 268 

(2048, 1278, 141) 363 | 0.41.1074 | 2% 296.9 2107 
(65536, 65392, 9) 32000 | 0.17.1078 | 2” 2102.7 2103 


Table 1. STATDEC for example parameter sets 


4.4 Lattice attacks 


In [7], the authors suggest to apply the low density algorithm from [29] to break Nieder- 
reiter cryptosystem. In this section we give an idea of this attack and explain why this 
attack doesn’t work with Niederreiter/McEliece cryptosystems based on binary Goppa 
codes. 

The attack proceeds as follows. Given a parity check matrix H € pgx 0—5) of a 
Goppa code and ciphertext c = mH, where m is a message, i.e. wt(m) = t (see 
Section 1.4). Let L be the lattice generated by the row vectors in the matrix 


rH 
Id, 
Q = +1 eer 
0 | gridn—x 


where Id, is the identity matrix of dimension s and r is an integer. The vector m* = 
(m,..-,Mn,—1,0,...,0) is a vector in the lattice and has at most t + 1 nonzero 
entries. If r > t, then the authors claim that m* is a shortest vector in the lattice. So by 
finding this vector we can determine the corresponding plaintext. 

Unfortunately, this is not true for fields of characteristic 2. The reason for this failure 
is that m* isn’t the shortest vector for q = 2. The shortest vectors are 2e,,...,2e€,44, 
where e; = (0,...,0,1,0,...,0). These vectors can be obtained by taking the first 

—— 


i-1 
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(resp. second, etc.) row twice and erase the last (n— k) elements in the vector by taking 
appreciate rows from the sub-matrix grld,—,. Since these vectors have nothing to do 
with original message m, this attack doesn’t work with the Niederreiter cryptosystem 
based on binary Goppa codes. 


5 Attacks infeasible with conversions 


The attacks outlined in the following aim at revealing partial information about the 
message sent, or the error vector used for encryption in the McEliece case. Thus they 
are not stand alone attacks, i.e. they cannot be used to recover the plaintext completely 
or to get the private keys, but they provide ways to reduce the system size and thus the 
complexity of consecutive attacks. 

One thing all attacks dealt with in this section have in common is that they can be 
avoided completely by suitable conversions for the original McEliece cryptosystem 
[27]. Thus the attacks are mentioned here mostly for completeness’ sake and to un- 
derline the importance for using one of the proposed conversions, some of which we 
present later. 


5.1 Taking advantage of partially known plaintexts 


An attacker for the McEliece cryptosystem may use known bits of a sent message to 
recover the whole plaintext. More precisely, the partial knowledge of the originally 
sent message corresponds to a reduction in the cryptosystems parameters. 

Suppose an adversary knows the target plaintext bits mz for an index set Z C 
{1,2,...,k}. Denote with J the complement of Z in {1,2,...,k}. Then the adver- 
sary may try to recover mz using the following reduction: 


mG =m G79 m7G.7. 
Therefore, we have 


c mz. = m7G.7 pz 


c =m7zGz7 Oz. 


An analogous reduction can be achieved for the Niederreiter scheme. All attacks de- 
scribed in the previous section that do not use the particular structure of the code can be 
applied to try and solve this equation for m 7. In particular, this includes the General- 
ized Information-Set-Decoding attack and the Finding-Low- Weight-Codeword attack. 
(Note that their success is no longer guaranteed as we do not know whether G..7 con- 
tains an Information Set, which is needed in both cases.) However, the computational 
cost for those attacks can be critically reduced as k drops to |J]. 


5.2 Taking advantage of known relations between messages 


An adversary for the McEliece scheme may use the relation between two encrypted 
messages to determine error bits [6]. This attack cannot be adapted to the Niederreiter 
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cryptosystem. Let mı, m, be two messages related by A, e.g. A(m), m2) = m; 6 mp. 
Then 


cı © c2 ® A(m), m2) = Z È 22. 


Zero bits on the left hand side of this equation imply 


1 = zi|k = Z2|k 
Zilk @Z2|k =O> | | 
0 = zi|k = z2|x- 


Since the weight of the error vectors z1, Z2 is small, the first case is highly unlikely: 


t 2 
Pr(1 = zi|k = z2|k) = (<) x 


This enables an adversary to efficiently guess error bits. 


A special case is the message-resend attack where the attacker can recover zı @z2 = 
cı ® C2. 


5.3 Reaction attack 


This attack is a weaker version of an adaptively chosen ciphertext attack, in that it 
does not require any decryptions, but only depends on the observation of the receiver’s 
reaction on potential ciphertexts [27]. 

An adversary may intercept ciphertexts, change a few bits, and watch the reaction 
of the designated receiver on these modified ciphertexts. Sending modifications of 
an authentic ciphertext amounts to adding further error bits. If the receiver cannot 
decode (reaction: repeat request), the corresponding bits were not in error originally. 
This enables the attacker to recover a error-free information set in at most k iterations 
(compare Generalized Information-Set-Decoding attack). 


5.4 Malleability 


Adding codewords, i.e. rows of G to a ciphertext yields another valid ciphertext. There- 
fore, the original McEliece cryptosystem does not satisfy non-malleability. Note that 
this is no problem in the Niederreiter case, as there is no known relation that may be 
used to create new decodable syndromes from old ones. 


6 Conversions achieving CCA2-security 


Suppose an adversary who wants to recover a message from its ciphertext only, has 
access to a decryption oracle. He may not query the oracle on the target ciphertext. 
Apart from that, the oracle provides him with ciphertext-plaintext pairs of his choice. 
A cryptosystem is secure against adaptive chosen ciphertext attacks (CCA2 secure) if 
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such attacker has no advantage in deciphering a given ciphertext. It is indistinguish- 
able in the CCA2-model if the attacker has no advantage in determining for a given 
ciphertext and two plaintexts which of them was encrypted. 

In [27] Kobara and Imai review two generic conversion. One was originally pre- 
sented by Pointcheval [42] and the other by Fujisaki and Okamoto [16]. Both conver- 
sions were designed to achieve CCA2 security for a restricted class of public key cryp- 
tosystems. Kobara and Imai show that these conversions can successfully be applied 
to the McEliece cryptosystem. Furthermore they propose three conversion schemes 
specifically tailored for the McEliece cryptosystem. To explain these conversions, we 
introduce the following notation: 


r,r Random numbers 

Conv Bijective conversion of any number in Z/Z(%) to the corresponding 
error vector of length n 

H Cryptographic hash function, outputting bit-strings of length log, (%) 

R Cryptographically secure pseudo random number generator from 
fixed length seeds 

E. McEliece encryption function, taking as first argument the message 


to be encrypted and as second one the error vector: E(m,z) =c 
D McEliece decryption function: D(c) = (m, z) 
MSB,(m)_ The n rightmost bits of m 
LSB,(m) The n leftmost bits of m 


6.1 Pointcheval’s generic conversion 


A function f : X x Y > Z, (x,y) z is partially trapdoor one-way (PTOWEF) if it 
is impossible to recover x or y from their image z alone, but the knowledge of a secret 
enables a partial inversion, i.e., finding x from z. Pointcheval [42] demonstrated how 
any PTOWF can be converted to a public-key cryptosystem that is indistinguishable 
against CCA2. 

The McEliece cryptosystem draws its security from the assumption that its primitive 
is PTOWF: The function (m, z) +> €(m,z) can be inverted to recover m iff the private 
key, i.e. the generator matrix of the underlying Goppa code, is known. 


6.2 Fujisaki-Okamoto’s generic conversion 


Fujisaki and Okamoto propose hybrid encryption that merges a symmetric encryp- 
tion scheme which is secure in the Find-Guess model, with an asymmetric One-Way- 
Encryption scheme which is sufficiently probabilistic, to obtain a public-key cryptosys- 
tem which is indistinguishable against CCA2. See [16] for more details. The adapta- 
tion of Kobara and Imai to the McEliece primitive uses one-time padding with random 
numbers for the symmetric part, and McEliece encryption for the asymmetric one. 
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Algorithm 6.1.1 Pointcheval’s generic conversion — encryption 


Input: Random numbers r, r’ and the (possibly padded) message m. 
Output: A McEliece-based ciphertext c. 


z = H(ml|r) 
z = Conv(z) 
cı = E(r', z) 
c2 = R(r’) & (ml|r) 
c = (cı||c2) 


Algorithm 6.1.2 Pointcheval’s generic conversion — decryption 


Input: A ciphertext c and the corresponding McEliece decryption function D 
Output: The target plaintext m. 


cı = MSB,(c) 

c2 = LS Bren(m)+Len(r) (C) 

(r’,z) = D(e1) 

(m||r) = c2 © R(r’) 

if cı = E(r’, Conv(H(m||r))) then 
return m 

else 
reject c 


Algorithm 6.2.1 Fujisaki-Okamoto’s generic conversion — encryption 


Input: A random number r, and the (possibly padded) message m. 
Output: A McEliece-based ciphertext c. 


z = H(r||m) 
z = Conv(z) 
cı = E(r,z) 
c2 = R(r)em 


c = (cı|lc2) 
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Algorithm 6.2.2 Fujisaki-Okamoto’s generic conversion — decryption 


Input: A cipher c, and the corresponding McEliece decryption function D 
Output: The target plaintext m. 


cı = MSB,(c) 

c2 = LS Byen(m)(€) 

(r,2) = D(ci) 

m = c) 9 R(r) 

if cı = €(r,Conv(H(r||m))) then 
return m 

else 
reject c 


6.3 Kobara—Imai’s specific conversions 


Kobara and Imai also present three conversions of their own. Their main concern is to 
decrease data overhead introduced by the previously mentioned schemes. One of the 
corresponding conversions is given below. 


Algorithm 6.3.1 Kobara—Imai’s specific conversion y — encryption 
Input: A random number r, a predetermined public constant const and the (possibly 
padded) message m. 
Output: A McEliece-based ciphertext c. 
Note: It is assumed that the message m is prepared so that Len(m) > log,|(‘))| + 
k — Len(const) — Len(r) where n, k and t are the parameters used for McEliece 
encryption. 


cı = R(r) @ (ml |const) 

Q =r H(c1) 

C3 = LSB iog, (») 44 (caller) 

c4 = LS'B;(c3) 

C5 = MSB (n)| (c3) 

z = Conv(cs) 

if Len(c2||c;) — [log, (%)] — k > 0 then 
c6 = MSB, enesje1)—[log, (2) | -&(C2l€1) 
c = (ce||E(c4, 2)) 

else 
c = E(c4, 2) 
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Algorithm 6.3.2 Kobara—Imai’s specific conversion y — decryption 
Input: A ciphertext c, the bit length of the random number used in encryption 
Len(r) and the corresponding McEliece decryption function D. 
Output: The target plaintext m. 


c6 = MS Bren(e)-n(€) 

(Again, ce may be empty) 

(c4,z) = D(LSB,(c)) 

cs = Conv”! (z) 

C2 = M S Byen(r)(€6||€5||C4) 

cı = LS Bien(c)—Len(r) (C6||€5||C4) 
r=Oo8 H(c}) 

(m||const’) = (c1) 6 R(r’) 

if const’ = const then 


return m 
else 
reject c 
Conversion Data redundancy = Ciphertext size — Plaintext size 
(n,k) (1024, 524) | (2048,1608) | (2048, 1278) 
t 50 40 70 
Pointch. Len(r) + 1184 2308 2308 
Fujisaki n 1024 2048 2048 
Okamoto 
Kobara n + Len(const||r) 536 480 655 
Imai —log,|(7)| —k 
Original n—k 500 440 770 
McEliece 


Table 2. Conversions and data redundancy * 


* We follow the suggestion of Kobara and Imai and use Len(r) = Len(const) = 160. 


Kobara and Imai claim to achieve a reduction in data redundancy even below the 
values for the original McEliece PKCS for large parameters. We point out that this is 
only true if the message is prepared in such a way that 


Len(m) > oga). + k — Len(r) — Len(const). 


Nonetheless, the cut in data overhead is remarkable. Their main result concerning 
security is the following: 
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Theorem 6.1. Breaking indistinguishability in the CCA2 model using any of the con- 
versions presented above, is as hard as breaking the original McEliece public key sys- 
tem. 


Furthermore, the Known-Partial-Plaintext Attack, the Related Message Attack, the 
Reaction Attack and the Malleability Attack, all become impossible, since relations 
among plaintexts no longer result in relations among ciphertexts. Already the simple 
hashing of messages before encryption prevents this. 


7 Other cryptographic applications 


In this section we want to look into digital signature and identification schemes using 
error correcting codes. Up to now there has been little research concerning the devel- 
opment of secure and efficient digital signatures based on the McEliece cryptosystem. 
In fact McEliece claimed in his original paper “the decryption algorithm [...] cannot 
be used to produce unforgeable ‘signatures’ .” [37] 

The first ideas to derive digital signatures from error-correcting codes have been 
presented by Xinmei in [52]. Xinmei’s suggestion uses a McEliece-type encryption 
but was attacked and modified by Harn and Wang [23] and finally broken by Alabbadi 
and Wicker in 1992 [2]. 

One year later, J. Stern proposed an identification scheme based on syndrome decod- 
ing [50] but acknowledged himself that it could not be modified to an efficient signature 
scheme. 

Alabbadi and Wicker reviewed the chances to design digital signature schemes based 
on error-correcting codes in [3] but did not find feasible models. Their own proposal 
was successfully attacked by Stern [51]. 

Thus all attempts to create secure and reasonably efficient digital signatures on the 
basis of the McEliece cryptosystem have failed until the paper of Courtois, Finiasz and 
Sendrier [12]. 


7.1 Stern’s identification scheme 


Stern’s identification scheme is based on the Niederreiter cryptosystem. 

Let H be a (n — k) x n matrix common to all users. Chosen randomly, Stern claims 
that H generally will provide a parity check matrix for a code with good error correct- 
ing capability. Every user receives an n bit private key s of prescribed weight p. 


e Public key H, Hst =i, p 
e Private key s 


The security of the scheme relies on the difficulty of the syndrome decoding prob- 
lem, that is on the difficulty of determining the preimage s of i = Hst. Without the 
secret key, an adversary has two alternatives to deceive the verifier: 

1. He can work with a random s’ of weight p instead of the secret key. He will succeed 


if he is asked b € {0,2} but in case b = 1 he will hardly be able to produce the correct 
cı, 6&3 since Hs’ Æ Hs = i. 
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Protocol 7.1.1 Stern’s identification scheme 


Prover Verifier 


Choose random n-bit vector y and ran- 
dom permutation g, to compute 


cı = (o, Hy’), 2 = oly), c3 = o(y®s) 


Send commitments for (c1, c2, c3) 


Send random request b € {0,1,2} 


Ifb=0 = reveal y,o 
Ifb= 1 > reveal y ® s,o 
Ifb=2 = reveal o(y), o(s) 


Ifb =O > check cj, c2 

Ifb = 1 = check c1, c3 and 
Hy = H(y' @s') Si 

Ifb=2 => check c,c3 and 
w(o(s)) =p 


2. He can choose s’ from the set of all preimages of i under H, i.e. s € H~! (it). This 
time he will fail to answer the request b = 2 since w(s’) Æ p. 


Thus the attacker has chances 2/3 to deceive the verifier in any round. The identi- 
fication scheme of Stern has not been broken. Unfortunately, it can not be adapted to 
obtain an efficient signature scheme. The standard method to convert the identification 
procedure into a procedure for signing is to replace verifier-queries by values suitably 
derived from the message to be signed. This leads to a blow-up of each (hashed) plain- 
text bit to 2n signature bits and is therefore hardly applicable here. 


7.2 CFS signature scheme 


The only working signature scheme based on the McEliece, or rather on the Nieder- 
reiter encryption was presented by Courtois, Finiasz and Sendrier in [12]. Analogously 
to the results on the original McEliece PKCS, the security of the CFS scheme can be 
reduced to the Bounded Distance Decoding Problem. The Bounded Distance Decod- 
ing Problem (BD) is the Syndrome Decoding Problem for codes with known minimal 
distance. This extra knowledge allows the decoder to restrict his search to codewords 
within the given distance to the received one. Some believe this problem not to be 
NP-complete, as determining the minimum distance of a linear code in itself already is 
NP-complete, and this additional information is given in the BD case. 

Let the underlying code be a (n, k)-Goppa code, with error-correcting capability t, 
where n = 2™ and k = n — tm, for some integer m. Denote with G the generator 
matrix and with H the parity check matrix, respectively. 

The idea of the CFS algorithm is to repeatedly hash the document augmented by 
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a counter, until the ouptput is a decodable syndrome. The signer uses his secret key 
to determine the corresponding error vector. Together with the current value of the 
counter, this error vector will then serve as signature. 

The error vector length n can be reduced considerably, taking into account that only t 
of its bits are nonzero. With the parameters suggested by Courtois, Finiasz and Sendrier 


the number of possible error vectors is approximately given by (7) = Gs) PD 
so that a 126-bit counter suffices to address each of them. We need the following 
ingredients: 
h Public hash function. 
I Functions that assigns each word of weight t and length n a unique 
index in the set of all these words. 
T McEliece trapdoor function, outputting the error vector for a given 
decodable syndrome. 
H The public parity check matrix. 


Algorithm 7.2.1 CFS digital signature — signing 


Input: h, I,7,r and the document to be signed d. 
Output: A CFS-signature s. 


z = h(d) 
choose an r-bit vector 7 at random 
s = h(2||2) 


while s is not decodable do 
choose an r-bit Vector i at random 


s = h(zlhi 
e= fT (s) 
s = (Z(e)|lé) 


Algorithm 7.2.2 CFS signature scheme — verification 


Input: A signature s = (I (e)||i), the document d and the McEliece public key H. 
Output: Is the signature valid? 


e = I~! (I(e)) 
sı = H(e’) 
s2 = h(h(d)|li) 
if S1 = 82 then 
accept s 
else 
reject s 


192 D. Engelbert, R. Overbeck, and A. Schmidt 


The average number of attempts needed to reach a decodable syndrome can be esti- 
mated by comparing the total number of syndromes Mo to the number of correctable 
syndromes Niece. 


Thus each syndrome has a probability of 4 to be decodable. The CFS scheme needs 
about t! iterations, producing signatures of length log,(r("’)) ~ log, (n*). Thus, r has 
to be be larger than logo (t!). 


parameters n 215 216 oh 
t 10 9 10 8 9 10 


size public | k(n—k)/ | 0.58 | 1.12 | 1.12 | 2.38 | 2.38 | 2.38 
keyinMB | (8- 1024?) 


signature cost | t!t?m? 240 eae ea 2A 23e pe 
verification t column gi a | ot | ae | ore T 20 
cost operations Ï 

signature log, (n*) 150 | 144 | 160 | 136 | 153 | 170 
length 


CC-LWCW |p=2 287.4 | 283.7 | 290.9 | 973.3 | 288.2 | 294.6 
l=2m-l1 

Leon- p=3 296 | 298 | 2105 | 298 | 2107 | 2115 

LWCW l=m 

GISD p=2 2102 | 2105 | 2112 | 2106 | 9115 | 21233 


Table 3. Parameter sizes and costs 


Ì Each column operation here is an addition of columns of the parity check matrix with n entries. 


Attacking the CFS signature scheme via the birthday paradox is the best method so 
far, which is infeasible (compare [12]). 


8 Performance and parameters 


The main reason why McEliece received little attention in practice is because of the 
huge key sizes in comparison to RSA. Like RSA, its security remains unbroken in its 
original form. McEliece is as old as RSA, but less well studied. In the following, we 
review some aspects of implementation, performance and (good) choice of parameters. 
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As we have already mentioned, the key sizes are quite big in comparison to RSA. 
However, the McEliece cryptosystem has a much faster en- and decryption. We to take 
a look at the running times first and analyze the key sizes afterwards. 


8.1 Performance of en-/decryption and key generation 


The encryption of a message in the original McEliece scheme takes about 
k/2-n+t 


binary operations plus the time to generate the error vector. For decryption, the decryp- 
tion algorithm gets faster if we store some matrices in advance, which only depend on 
the private key. We return to the notations of Section 1.3 and 1.4 respectively. 


Theorem 8.1. The decryption of a ciphertext of a McEliece instance generated by a 
(n = 2™,k, d) binary irreducible Goppa code requires © (ntm?) binary operations. 


Proof. Let J C {1,...,n} with |J| = k and G; invertible. We may compute mSG © 
zP—! in n- m binary operations and the corresponding syndrome in n - (n — k) more. 
Applying the algorithm of Patterson ([41], Algorithm 2.3.1) we need O (n - t-m?) 
binary operations to identify the vector zP~! and n more to get mSG. Having computed 
(SG)! we need only further k? binary operations to recover the message m. oO 


The time needed to encrypt a message with Niederreiter depends on the method of 
representing the message by an appropriate plaintext e of length n and weight t. This 
could be done in several ways. We just want to point out that the distribution of the 
support of e should be (almost) uniform to avoid correct guessing of the positions of 
the zeros (compare [43]). For example one could use methods derived from [38] or 
simple enumeration of all possible error vectors. The time of decryption depends on 
the time to recover the plaintext and the time to reconstruct the original message from 
that plaintext. 


Theorem 8.2. Recovering the plaintext from a ciphertext of a Niederreiter instance 
generated by a (n, k, d) Goppa code requires O (ntm?) binary operations. 


Proof. The proof is analogous to the one of the theorem above. O 


When generating an instance of the McEliece cryptosystem with n = 2™ we sup- 
pose that we already know a polynomial F € F, [X] s.t. (F2 [X]) /F = Fom. From 
[20] we know that the number of monic irreducible polynomials of degree t over Fam 
is bigger than (2 — 1) /t. Thus the probability of getting an irreducible polynomial 
by choosing a random one of degree ¢ with leading coefficient Æ 0 is larger than 1 /t. 
To check the irreducibility requires O (t?m? + tm) operations [25]. Having found an 


irreducible generator polynomial g we need 2” evaluations of (g(x))~' and n (t — 1) 
multiplications in Fm to generate the parity check matrix. For the McEliece cryp- 
tosystem we need a Gaussian elimination (O((n — k)?) binary operations) at that point 
to compute the generator matrix. Next we have to generate the permutation and the 
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scramble matrix and multiply them with the generator matrix which can be done in 
O (k?n + n?) (McEliece) and O ((n — k)?n + n?) (Niederreiter) binary operations re- 
spectively. Together with the time necessary to invert SG; and M, this leads to the 
following theorem: 


Theorem 8.3. The running time (in binary operations) to generate a key pair for the 
McEliece cryptosystem is O (kn +n? +t (n — k) + (n — k)?). A key pair for the 
Niederreiter cryptosystem may be generated in O ((n — k n +n? + t(n — k)) bi- 
nary operations. 


8.2 Key sizes 


The method of storing the private key offers some variants. First we would want to 
store the Goppa polynomial and the generator polynomial of Fm and additionally the 
check matrix H. Second it would be better to store M~! or (SG. no to enhance the 
performance of decryption. The private key stored that way has the size of 


(n—k)n+(n—k+1+2-log,n) +k? +n-log,n 
bits for McEliece cryptosystem and 
(n—k+1+2-log,n)+(n—k)* +n- logn 


for the Niederreiter version. Alternatively, the holder of the secret key can omit storing 
the matrix H, as it is not needed to compute the syndrome of the received ciphertext. 
However, this would decrease the speed of decryption. 

To store the public key requires n - k bits for the McEliece cryptosystem. For the 
CCA2-secure variants of the McEliece PKC it is possible to give the public generator 
matrix G in its systematic form. If we choose the first k columns of G to be the identity 
matrix, then we can describe the public key by only giving the last (n — k) columns of 
G, called the redundant part. This requires 


k-(n—k) 


bits. The same is true for the the Niederreiter PKC. Table 4 shows the performance of 
the original McEliece PKC for some example parameters. 


8.3 Choice of parameters 


Unfortunately, there is no simple criterion for the choice of t with respect to n. One 
should try to make it as difficult as possible to attack the cryptosystem using the known 
attacks. For the sample parameter sets from Table 4, Table 5 shows the theoretical work 
factors for the McEliece cryptosystem (the CCA2-secure variants and the original one). 
In comparison, Table 6 gives the estimated work factors for the RSA cryptosystem. 
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McEliece Size public Workfactor 
system parameters key in bytes (binary operations) 
(n, k,d = 2t+ 1) plain CCA2-secure | encryption | decryption 
(1024, 524, 101) 67,072 32,750 | 2" 2 
(2048, 1608, 81) 411,648 88,440 | 2705 2 
(2048, 1278, 141) 327,168 123,008 | 27° 27A 
(2048, 1025, 187) 262,400 131,072 | 27 DA: 
(4096, 2056, 341) 1,052,672 524,280 | 27 2 
Table 4. Performance of the McEliece PKC 

McEliece Workfactor (binary operations) 

system parameters GISD LEON-LWCW CC-LWCW ! 

(n, k,d = 2t+ 1) p=2 p=3,l=m p=2,l=2m-1 

(1024, 524, 101) 2 262 a 

(2048, 1608, 81) 2110 ay 298 

(2048, 1278, 141) 210 gus 2419 

(2048, 1025, 187) 21i oe 2196 

(4096, 2056, 341) 2° 2 2 


Table 5. Attacking the McEliece PKC 


t Approximation without determining the exact value of the number of expected iterations. The exact evaluation 


uses a Markov chain and thus no closed formula is available (see [10]). 


System Size Workfactor (binary operations) 
public key | en- de- best 
in bytes cryption cryption attack 8 
RSA 1024-bit Modulus 256 | 2% 239 2a 
RSA 2048-bit Modulus 512 | 23 233 a” 
RSA 4096-bit Modulus 1024 | 2% gee 2 


Table 6. Performance of the RSA PKC 


$ This is the NFS attack for factoring the RSA modulus, see [31]. 
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As one can observe from the tables, today the best attack against McEliece’s cryp- 
tosystem is CC-LWCW (Algorithm 4.2.3), which is STERN-LWCW with Markov 
chain improvement. CC-LWCW has a polynomial space complexity and its work 
factor may be approximated by 


OCR 2a), 


if t is small and k/n is not too close to 1 (compare [46]). Since n = 2™ and k = n—tm, 
N. Sendrier concludes that the maximum degree of security is obtained for an informa- 
tion rate k/n ~ 1—1/exp(1). We omitted to consider the statistical decoding attack on 
the McEliece cryptosystem because of serious doubts regarding the assumptions made 
by the author of [1], compare Section 4.3. 


9 Conclusion 


After more than twenty years of research, the McEliece PKC cryptosystem slowly 
comes to the fore as a practical alternative to RSA in applications where long term 
security is needed. There are no known classical or quantum computer attacks on 
McEliece’s cryptosystem which have sub-exponential running time. Despite the lack 
of efficient attacks on McEliece’s proposal, none of the cryptographic schemes based 
on coding theory is proven to be as secure as some classic problem of coding theory. 
Nevertheless, a key size of 123KB seems to be secure until the year 2041. 

The fast increasing amount of storage space on small devices like USB Tokens, 
PDAs and mobile phones would even allow an application of the McEliece PKC nowa- 
days. We believe that the McEliece PKC might be used within the next decades, even 
if no quantum computer is available. The advantage of code based cryptography lies in 
the faster en- and decryption, which helps to reduce the battery drain of cryptographic 
applications on mobile devices. 

Another interesting property of code based cryptography is the fact that one can 
build a complete infrastructure from it. Identification schemes, signature schemes and 
even random number generators as well as hash functions are available. 


References 


[1] A. Kh. Al Jabri, A Statistical Decoding Algorithm for General Linear Block Codes. Cryptog- 
raphy and Coding 2001, LNCS 2260, pp. 1-8. Springer, 2001. 


[2] M. Alabbadi and S. B. Wicker, Security of Xinmei digital signature scheme, Electronics Letters 
29 (1992), pp. 890-891. 


[3] 


, A digital signature scheme based on linear error-correcting block codes. ASI- 


ACRYPT °94, LNCS 917, pp. 238-248. Springer, 1995. 


[4] D. Augot, M. Finiasz, and N. Sendrier, A Family of Fast Syndrome Based Cryptographic Hash 
Functions. Proc. of Mycrypt 2005, LNCS 3715, pp. 64-83, 2005. 


[5] E. Berlekamp, R. McEliece, and H. van Tilborg, On the inherent intractability of certain coding 
problems, IEEE Transactions on Information Theory 24 (1978), pp. 384-386. 


A Summary of McEliece-Type Cryptosystems and their Security 197 


[6] 


[7] 


[8] 


[9] 


[10] 


[11] 


[12] 


[13] 


[14] 


[15] 


[16] 


[17] 


[18] 


[19] 
[20] 


[21] 


[22] 


[23] 


[24] 
[25] 


T. Berson, Failure of the McEliece Public-Key Cryptosystem Under Message-Resend and 
Related-Message Attack. Proceedings of CRYPTO, Lecture Notes in Computer Science 1294, 
pp. 213-220. Springer, 1997. 


E. F. Brickell and A. M. Odlyzko, Cryptanalysis: A Survey of Recent Results. Proc. of the 
IEEE, 76, pp. 578-593, 1988. 


A. Canteaut and F. Chabaud, Improvements of the attacks on cryptosystems based on error- 
correcting codes, Rapport interne du Departement Mathematiques et Informatique LIENS-95- 
21 (1995). 


A. Canteaut and F. Chabaut, A new algorithm for finding minimum-weight words in a linear 
code: application to primitive narrow-sense BCH-codes of length 511, IEEE Transactions on 
Information Theory 44 (1998), pp. 367-378. 


A. Canteaut and N. Sendrier, Cryptanalysis of the Original McEliece Cryptosystem. Advances 
in Cryptology - ASIACRYPT ’98 Proceedings, pp. 187—199. Springer, 1998. 


F. Chabaud, On the security of some cryptosystems based on error-correcting codes, Lecture 
Notes in Computer Science 950 (1995), pp. 131-139. 


N. Courtois, M. Finiasz, and N. Sendrier, How to achieve a McEliece-based Digital Signature 
Scheme. Advances in Cryptology - ASIACRYPT 2001, 2248, pp. 157-174. Springer, 2001. 


F. Levy dit Vehel and S. Litsyn, Parameters of Goppa codes revisited, IEEE Transactions on 
Information Theory 43 (1997), pp. 1811-1819. 


J.-B. Fischer and J. Stern, An eficient pseudo-random generator provably as secure as syn- 
drome decoding. Advances in Cryptology - EUROCRYPT ’96 (Ueli M. Maurer, ed.), LNCS 
1070, pp. 245-255. Springer, 1996. 


M. Fossorier, H. Imai, and K. Kobara, Modeling Bit Flipping Decoding Based on Non Orthog- 
onal Check Sums and Application to Iterative Decoding Attack of McEliece Crypto-System. 
Proc. of 2004 International Symposium on Information Theory and its Applications, Parma, 
Italy (ISITA’04), October 2004. 


E. Fujisaki and T. Okamoto, Secure Integration of Asymmetric and Symmetric Encryption 
Schemes. Proc. of CRYPTO, LNCS 547, pp. 535-554. Springer, 1999. 


E. M. Gabidulin, A. V. Ourivski, B. Honary, and B. Ammar, Reducible rank codes and their 
applications to cryptography, IEEE Transactions on Information Theory 49 (2003), pp. 3289- 
3293. 


E. M. Gabidulin, A. V. Paramonov, and O. V. Tretjakov, Ideals over a Non-Commutative Ring 
and their Applications to Cryptography. Proc. Eurocrypt ’91, LNCS 547. Springer, 1991. 


P. Gaborit, Shorter keys for code based cryptography. Proc. of WCC 2005, pp. 81-90, 2005. 


S. Gao and D. Panario, Tests and constructions of irreducible polynomials over finite fields, 
Foundations of Computational Mathematics (1997), pp. 346-361. 


K. Gibson, Equivalent Goppa codes and trapdoors to McEliece’s public key cryptosystem. Ad- 
vances in Cryptology — Eurocrypt’91 (D. W. Davies, ed.), LNCS 547, pp. 517-521. Springer, 
1991. 


V. D. Goppa, A New Class of Linear Correcting Codes, Problems of Information Transmission 
6 (1970), pp. 207-212. 


L. Harn and D.-C. Wang, Cryptanalysis and modification of digital signature scheme based on 
error-correcting codes, Electronics Letters 28 (1992), pp. 157-159. 


Heise and Quattrocchi, Informations- und Codierungstheorie, 3. edn. Springer, 1995. 
IEEE 1363-2000: Standard Specifications For Public Key Cryptography, 2000. 


198 


D. Engelbert, R. Overbeck, and A. Schmidt 


[26] 


[27] 


[28] 


[29] 


[30] 


[31] 


[32] 


[33] 


[34] 


[35] 


[36] 


[37] 


[38] 


[39] 


[40] 


[41] 


[42] 


[43] 


[44] 


[45] 


[46] 


H. Janwa and O. Moreno, McEliece Public Key Cryptosystems Using Algebraic-Geometric 
Codes, Designes, Codes and Cryptography 8 (1996), pp. 293-307. 


K. Kobara and H. Imai, Semantically Secure McEliece Public-Key Cryptosystems - Conver- 
sions for McEliece PKC. Practice and Theory in Public Key Cryptography - PKC ’01 Proceed- 
ings. Springer, 2001. 

_____, On the One-Wayness Against Chosen-Plaintext Attacks of the Loidreau’s modified 
McEliece PKC, YEEE Transactions on Information Theory 49 (2003), pp. 3160-3168. 


J. C. Lagarias and A. M. Odlyzko, Solving Low-Density Subset Sum Problems, J. ACM 32 
(1985), pp. 229-246. 


P. J. Lee and E. F. Brickell, An observation on the security of McEliece’s public key cryp- 
tosystem. Advances in Cryptology-EUROCRYPT’88, LNCS 330, pp. 275-280. Springer, 
1989, http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/E88/ 
215: PDE, 


A. K. Lenstra and E. R. Verheul, Selecting Cryptographic Key Sizes, Journal of Cryptology: 
the journal of the International Association for Cryptologic Research 14 (2001), pp. 255-293. 


J. S. Leon, A probabilistic algorithm for computing minimum weights of large error-correcting 
codes, IEEE Transactions on Information Theory 34 (1988), pp. 1354-1359. 


Y. X. Li, R. H. Deng, and X. M. Wang, the Equivalence of McEliece’s and Niederreiter’s 
Public-Key Cryptosystems, IEEE Transactions on Information Theory 40 (1994), pp. 271-273. 
R. Lidl and H. Niederreiter, Introduction to finite fields and their applications, 2. edn. Cam- 
bridge University Press, 1986. 

P. Loidreau and N. Sendrier, Weak keys in the McEliece public-key cryptosystem, IEEE Trans- 
actions on Information Theory 47 (2001), pp. 1207-1211. 

F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correctiong Codes, 7. edn. North- 
Holland Amsterdam, 1992. 

R. J. McEliece, A public key cryptosystem based on algebraic coding theory, DSN progress 
report 42-44 (1978), pp. 114-116. 

T. Okamoto, K. Tanaka, and S. Uchiyama, Quantum Public Key Cryptosystems. Proc. Of 
CRYPTO 2000, LNCS, 1880, pp. 147—165, 2000, Springer. 

R. Overbeck, A new structural attack for GPT and variants. Proc. of Mycrypt 2005, LNCS 
3715, pp. 50-63. Springer, 2005. 

, Statistical Decoding revisited. Proc. of ACISP 2006, LNCS 4058, pp. 283-294. 
Springer, 2006. 

N. Patterson, Algebraic Decoding of Goppa Codes, IEEE Trans. Info. Theory 21 (1975), 
pp. 203-207. 

D. Pointcheval, Chosen-Ciphertext Security for any One-Way Cryptosystem. Proc. of PKC, 
LNCS 1751, pp. 129-146. Springer, 2000. 

V. C. Jr. Rocha, V. C. JR Da Rocha, and D. L. Macedo, Cryptanalysis of Krouk’s public-key 
cipher, Electronics Letters 32 (1996), pp. 1279-1280. 

N. Sendrier, On the dimension of the hull, SIAM Journal on Discrete Mathematics 10 (1997), 
pp. 282-293. 

, Finding the permutation between equivalent linear codes: the support splitting algo- 
rithm, IEEE Transactions on Information Theory 46 (2000), pp. 1193-1203. 


, On the security of the McEliece public-key cryptosystem. Proceedings of Workshop 
honoring Prof. Bob McEliece on his 60th birthday (M. Blaum, P. G. Farrell, and H. van Tilborg, 
eds.), pp. 141-163. Kluwer, 2002. 


A Summary of McEliece-Type Cryptosystems and their Security 199 


[47] 


[48] 


[49] 


[50] 


[51] 


[52] 


V. M. Sidelnikov, A Public-Key Cryptosystem Based on Binary Reed-Muller Codes, Discrete 
Mathematics and Applications 4 (1994). 


V. M. Sidelnikov and S. O. Shestakov, On insecurity of cryptosystems based on generalized 
Reed-Solomon codes, Discrete Mathematics and Applications 2 (1992), pp. 439-444. 


J. Stern, A method for finding codewords of small weight, Coding Theory and Applications 388 
(1989), pp. 106-133. 


, A new identification scheme based on syndrome decoding. Advances in Cryptology — 
CRYPTO’93, LNCS 773. Springer, 1994. 


, Can one design a signature scheme based on error-correcting codes. ASIACRYPT 
94, LNCS 917, pp. 424—426, 1995. 


W. Xinmei, Digital signature scheme based on error-correcting codes, Electronics Letters 26 
(1990), pp. 898-899. 


Received 4 April, 2006; revised 15 November, 2006 


Author information 


D. Engelbert, TU Darmstadt, Department of Computer Science, Cryptography and Computer Alge- 
bra Group HochschulstraBe 10, 64298 Darmstadt, Germany. 
Email: engelber @cdc.informatik.tu-darmstadt.de 


R. Overbeck, TU Darmstadt, GK Electronic Commerce, Department of Computer Science, Cryp- 
tography and Computer Algebra Group HochschulstraBe 10, 64298 Darmstadt, Germany. 
Email: overbeck @cdc.informatik.tu-darmstadt.de 


A. Schmidt, TU Darmstadt, Department of Computer Science, Cryptography and Computer Algebra 
Group HochschulstraBe 10, 64298 Darmstadt, Germany. 
Email: aschmidt @cdc.informatik.tu-darmstadt.de 


